tetragon: Add support to retrieve environment variables #4184
Conversation
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
olsajiri
added
the
release-note/minor
olsajiri
force-pushed
the
pr/olsajiri/exec
branch
3 times, most recently
from
0fbb328 to
9dd22a4
Compare
olsajiri
force-pushed
the
pr/olsajiri/exec
branch
2 times, most recently
from
e35bac7 to
310e337
Compare
olsajiri
force-pushed
the
pr/olsajiri/exec
branch
3 times, most recently
from
f906c12 to
6a4eec3
Compare
olsajiri
changed the title
olsajiri
force-pushed
the
pr/olsajiri/exec
branch
from
6a4eec3 to
8b4eaf6
Compare
FedeDP
left a comment
FedeDP
left a comment
There was a problem hiding this comment.
Left some comments but the PR is egregious :) Great job!
olsajiri
force-pushed
the
pr/olsajiri/exec
branch
2 times, most recently
from
f4de6a0 to
b546118
Compare
kkourt
left a comment
kkourt
left a comment
There was a problem hiding this comment.
Thanks!
Please find some comments below.
| var desc dataapi.DataEventDesc | ||
|
|
||
| dr := bytes.NewReader(args) | ||
| if exec.SizePath != 0 { |
There was a problem hiding this comment.
Are there legitimate cases where this can be zero? (similarly for the other added sizes)
There was a problem hiding this comment.
yes, if probe read fails on the envs data, then EVENT_ERROR_ARGS should be set
There was a problem hiding this comment.
But we continue reading everything else if I understand correctly from the code?
| } | ||
|
|
||
| #ifdef __LARGE_BPF_PROG | ||
| FUNC_INLINE __u32 read_envs(void *ctx, struct msg_execve_event *event) |
There was a problem hiding this comment.
Will this work correctly for execs happening from inside the kernel (e.g, call_usrmodehelper and friends).
There was a problem hiding this comment.
yep, environment is stored the same way, so we get it.. like:
{"process_exec":{"process":{"exec_id":"cWVtdS0xOjUyNzE3MDc3ODA3MjoxMjYxOA==","pid":12618,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd-coredump","arguments":"12617 1000 1000 11 1763675427 102400000000 qemu-1 1 3","flags":"execve rootcwd clone","start_time":"2025-11-20T21:50:27.329868374Z","auid":4294967295,"parent_exec_id":"cWVtdS0xOjI5NzAwMDAwMDA6Mg==","tid":12618,"in_init_tree":false,"environment_variables":"HOME=/ TERM=linux PATH=/sbin:/usr/sbin:/bin:/usr/bin"},"parent":{"exec_id":"cWVtdS0xOjI5NzAwMDAwMDA6Mg==","pid":2,"uid":0,"binary":"[kthreadd]","flags":"procFS","start_time":"2025-11-20T21:41:43.129089721Z","auid":4294967295,"parent_exec_id":"cWVtdS0xOjE6MA==","tid":2,"in_init_tree":false}},"node_name":"qemu-1","time":"2025-11-20T21:50:27.329867762Z"}
api/v1/tetragon/tetragon.proto
Outdated
| // tool like nsenter or kubectl exec. | ||
| google.protobuf.BoolValue in_init_tree = 20; | ||
| // Environment variables passed to the binary at execution. | ||
| string environment_variables = 21; |
There was a problem hiding this comment.
Question: Should we parse this in user-space and offer an array to the user?
E.g.,
message EnvEntry {
string Key = 1;
string Value = 2;
}
And return:
repeated EnvEntry environment_variables = 21
There was a problem hiding this comment.
not sure.. as you already mentioned catching this impacts performance already,
also it's sort of similar to args string which we handle the same way together with the redaction support
There was a problem hiding this comment.
Yeah, but splitting a string in userspace (I'm guessing based on a ) character shouldn't have a big impact on performance, no?
There was a problem hiding this comment.
Yeah I'm wondering too if it's not a nice UX improvement that is pretty cheap considering everything that we already do in this gRPC conversion. No strong feelings.
pkg/option/flags.go
Outdated
| flags.Bool(KeyEnableProcessEnvironmentVariables, false, "Include environment variables in process_exec events. Disabled by default. Note that this option can significantly increase the size of the events and may impact performance") | ||
|
|
There was a problem hiding this comment.
Let's add a note about sensitive information in the flag.
E.g., "Include environment variables in process_exec events. Disabled by default. Note that this option can significantly increase the size of the events and may impact performance, as well as capture sensitive information such as passwords in the events"
There was a problem hiding this comment.
"as well as capture sensitive information such as passwords in the events" might be super verbose but we can also mention the feature we have for redacting such content here.
mtardy
left a comment
mtardy
left a comment
There was a problem hiding this comment.
Thanks, here are a few comments, I think using size based parsing is cleaner indeed and easier to understand than searching for those NULL bytes.
api/v1/tetragon/tetragon.proto
Outdated
| // tool like nsenter or kubectl exec. | ||
| google.protobuf.BoolValue in_init_tree = 20; | ||
| // Environment variables passed to the binary at execution. | ||
| string environment_variables = 21; |
There was a problem hiding this comment.
Yeah I'm wondering too if it's not a nice UX improvement that is pretty cheap considering everything that we already do in this gRPC conversion. No strong feelings.
mtardy
added
release-note/major
As the comment suggested the filename could be sent through data event, let's read the filename instead. Signed-off-by: Jiri Olsa <[email protected]>
We can return just proc object and error without the bool state. Making nopMsgProcess part of execParse init code so there's no longer need for the function. Signed-off-by: Jiri Olsa <[email protected]>
We are about to add another extra info to the exec event (environment variables), so instead of relying on separators lets add size for each data and allow the user space easier parsing. Signed-off-by: Jiri Olsa <[email protected]>
Let's share the functionality in single function. Signed-off-by: Jiri Olsa <[email protected]>
Adding test for execParse with api.EventErrorFilename and make sure we get proper results. Signed-off-by: Jiri Olsa <[email protected]>
Add test for execParse with just filename and make sure we get proper results. Signed-off-by: Jiri Olsa <[email protected]>
olsajiri
force-pushed
the
pr/olsajiri/exec
branch
from
b546118 to
6f8def7
Compare
Adding support to read environment variables. It's guarded with tg_conf_map::env_vars_enabled variable and same as for arguments we either use space in the exec event or send it through separate data event. Signed-off-by: Mikita Iwanowski <[email protected]> Signed-off-by: Jiri Olsa <[email protected]>
It will store environment variables for the process. Signed-off-by: Jiri Olsa <[email protected]>
Signed-off-by: Jiri Olsa <[email protected]>
olsajiri
force-pushed
the
pr/olsajiri/exec
branch
2 times, most recently
from
c69ad85 to
02c4cb2
Compare
Adding parsing of the environment variables data from the exec event and the --enable-process-environment-variables option to enable this feature. Signed-off-by: Mikita Iwanowski <[email protected]> Signed-off-by: Jiri Olsa <[email protected]>
Add test for execParse with filename, args, cwd, envs and make sure we get proper results. Signed-off-by: Jiri Olsa <[email protected]>
Add test for execParse with filename, args, cwd and empty envs and make sure we get proper results. Signed-off-by: Jiri Olsa <[email protected]>
Add support to redact data from environment variables. Signed-off-by: Jiri Olsa <[email protected]>
Adding redact test for environment variables. Signed-off-by: Jiri Olsa <[email protected]>
Adding support to filter specific environment variables with --filter-environment-variables VAR1[,VAR2..] option. Only specified variables will be part of the event, like with: --filter-environment-variables "TEST_VAR1" only TEST_VAR1 will be stored in the event. Signed-off-by: Jiri Olsa <[email protected]>
Adding observer test with basic check for environment variables. Signed-off-by: Jiri Olsa <[email protected]>
Adding observer test with check for environment variables with applied filter. Signed-off-by: Jiri Olsa <[email protected]>
Adding observer test with check for environment variables with applied filter and redaction. Signed-off-by: Jiri Olsa <[email protected]>
Adding docs for environment variables redaction. Signed-off-by: Jiri Olsa <[email protected]>
olsajiri
force-pushed
the
pr/olsajiri/exec
branch
from
02c4cb2 to
e0d7b24
Compare
| "size", strutils.SizeWithSuffix(entries*int(unsafe.Sizeof(execvemap.ExecveValue{})))) | ||
|
|
||
| if option.Config.EnableProcessEnvironmentVariables { | ||
| Execve.RewriteConstants["ENV_VARS_ENABLED"] = uint8(1) |
| It's also possible to store only requested environment variables with | ||
| '--filter-environment-variables VAR1[,VAR2..]` option. |
There was a problem hiding this comment.
nit: feel free to ignore
| It's also possible to store only requested environment variables with | |
| '--filter-environment-variables VAR1[,VAR2..]` option. | |
| It's also possible to store only requested environment variables with the | |
| '--filter-environment-variables VAR1[,VAR2..]` option. |
Also this could be documented in the part that describes this feature, but if we don't have any, that's cool
| with_errmetrics(probe_read, &env_start, sizeof(env_start), _(&mm->env_start)); | ||
| with_errmetrics(probe_read, &env_end, sizeof(env_end), _(&mm->env_end)); |
storing environment variables into process event data, enabled with
--enable-process-environment-variablesoption,and we allow to redact info from the variables
reworked a bit the exec data parsing and added the environment variables parsing contributed by @slntopp,
I left the SOB info in some changes, @slntopp please shout if you want to make some changes